Normally, you don't know about these because they are loaded at boot time either via the registry (a part of the operating system that Microsoft warns all users not to read or modify), via Start / Programs / Startup, or by some other method.

In general, when you press Alt-Ctrl-Del (Win 95) you can see those non-operating system programs which are currently running and consuming system resources. Some of these, such as Explorer - the program that displays the Windows desktop, are required by the operating system even though they are not a part of it. You should also see your virus protection software here. However others, such as the advertising parasite TSADBOT.EXE, are not wanted or needed. (At least I don't want it! :)

Rather than delete these entries, I simply comment them out and annotate them with the date and reason. For those in the registry, you can place a few garbage characters (xx) at the beginning of the entry followed by the date; in config.sys and autoexec.bat, use the standard rem statement; and for those in the StartUp directory, move them to another directory created for that purpose.

Of course, I've heard of this before, but the write-ups seemed pretty innocuous - no one ever hinted at how bad this thing really is.

This discussion is not about privacy or security (though they are both issues). Instead, it is about system performance. With Comet Cursor, system performance is significantly reduced.

In 4 hours with this disabled (via ZoneAlarm), MS Access and the Kernel grabbed my machine only twice (that I noticed). On the previous day, with it running, MS Access and the Kernel grabbed the machine about every 10 minutes. It is hard to prove cause and effect ... but for my money, my machine runs MUCH better with it disabled.

Whatever, you do, don't simply delete COMET.DLL. There are so many registry hooks, you really should uninstall it. This can be done via Control Panel / Add/Remove Programs.

Once it is "removed", then you should run Ad-Aware to verify that it is actually gone.

More: After a re-boot, the Kernel is grabbing the machine again. Using the All Open Files of Taskinfo 2000, 6 copies of Comet.dll are currently running on my machine - one is attached to Windows Explorer, one is attached to IE, and four are not accounted for. Also, Zone Alarm did NOT prompt me if it was ok for this parasite to access the internet.

Using the Microsoft System Monitor (Start / Programs / Accessories / System Monitor - it is on your Windows CD, but you must install it), I noticed that the cpu kept going to 100% utilization. Hum. Well, I wanted to know why - which application was crashing my system.

At this point, I loaded and configured Taskinfo 2000 to run every time the system booted. Well, it turned out to be 2 "applications" - MS Access and the Kernel. Pretty weird. I'm sitting there, not doing anything, and one of these 2 programs would simply hog the computer for several seconds.

Well, that was not a very satisfactory answer. So I loaded ZoneAlarm - a free firewall which blocks and/or reports both incomming and outgoing TCP/IP traffic. By default, you get prompted each time an application tries to access the network.

• Yes, Internet Explorer can access the internet
• Yes, MS Access can read a database on a shared drive
• Yes, email can access a shared drive (to get mail, of course)
• Yes, Windows Explorer can access the network

• ??? Why does Windows Explorer want to access 198.65.220.247

http://www.cometsystems.com/contact/host1net.shtml

A search of all the files on the hard drive for "198.65" came up blank.

Based on the registry info

• This was installed with RealNetworks (another parasite that some people think they want. If they knew what it did, they may change their minds.) In particular, it is strongly associated with RealPlayer. (The references state that RealNetworks no longer distributes this.)
• It is listed under Internet Explorer plugins as handling the .css (Cascading Style Sheets) extensions.
• This is the registered uninstall program

  C:\WIN98\SYSTEM\csuninst.exe

• These keys were also found

  HKLM\Software\Comet
  HKLM\Software\Comet Systems
  

After a re-boot, the dll was still there, but it was no longer running.

Ad-Aware 5.0 found

• In the registry, 3 branches (2 with multiple values)

    HKLM\Software\Comet
    HKLM\Software\Comet Systems
    HKLM\Software\Microsoft\Windows\CurrentVersion\
           SharedDLLs\C:\WIN98\SYSTEM\COMET.DLL 

• An empty directory tree - just directories, no files - C:\Program Files\Comet
• The main dll - C:\WIN98\SYSTEM\COMET.DLL

• RealNetworks still has a link to the dll
• Internet Explorer still has a link (for .css) to the deleted file
  C:\Program Files\Netscape\Communicator\Program\Plugins\NP32COMET.DLL

I decided to leave this on the system to see if it would automatically start again. I have fairly tight security, but you never know. If RealAudio ever runs, this parasite will fully re-install itself.

• This zdnet article says "Comet Cursor doesn't really hurt anyone." I say "Bull". It produces a significant impact on your system.
• Here is a very negative article.
• How to configure IE to block a specific site - cometsystems.com - is very interesting, but it sort of misses the point since ZoneAlarm says that the Comet parasite uses Windows Explorer ... not just Internet Explorer. BTW, I only got this message once, I was never able to repeat it.

This parasite is executed via the following registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
          BrowserWebCheck="loadwc.exe"

The IE 4 version of webcheck is not compatible with IE 5. If it isn't updated (or perhaps Windows is reloaded) there will be continuous errors (I've seen about once an hour) similar to

  Explorer caused an exception 6d007fh in module Webcheck.dll

To check the version, use msinfo, or in Windows Explorer, right click the file, select Properties and click the Version tab. 5.00.2919.6304 is ok for IE 5; 4.72.3110.0 is not.

Related reference

As of 02-15-2001, the shareware version of pkzip no longer comes with the TSADBOT parasite. Apparently, Conducent (the maker of TSADBOT) has gone out of business.

On July 7, 1998, PKWARE announced that the shareware version of pkzip for windows would ship with special advertisement software. Always running on your system, this parasite allows advertisements to be download from an ad server. The ads are displayed whenever pkzip is running.

Don't get me wrong, PKWARE can do anything it wants to its products, it's always loading a premanently resident program at boot time that I take exception to. In addition, it appears that the program uses the internet even though pkzip is not running.

This parasite is executed via the following registry key

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   TimeSink Ad Client="C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE"

On a brand new, never before used NT 4.0 SP3 system with an empty D-drive, FastFind placed the following files

ffastun.ffa     4,109
ffastun.ffl     8,192
ffastun.ffo     4,096
ffastun0.ffx    4,096

total          20,493 bytes

ffastun.ffa     4,379
ffastun.ffl   131,072
ffastun.ffo    57,344
ffastun0.ffx  327,680

total         520,475 bytes

This parasite causes lots of disk activity whenever no one is using the machine. While it may speed up some searches, there is little documentation explaining what it does. (See Overview of Find Fast Indexer for some details.) It is my observation that it frequently activates the hard drive and slows down overall system performance.

When you first boot your system, this parasite is dorment, merely consuming memory but not using a lot of CPU time. After a while, it wakes up using about 50% of the availble processor capacity. (So far, this is not unlike a screen saver which stays in the background until the timer triggers.) However, unlike the screen saver which goes back to sleep, once this parasite is active, it stays active until you re-boot the system.

On an NT 4 system, right click the Task Bar and select Task Manager. On my NT 4 system, under Processes there are 2 instances of FindFast.exe! Currently, my processor indicates that it has been 27 hours since the last re-boot, and 1.5 hours have been used by FindFast.exe! This means that 5.5% of the computer's bandwidth is being wasted by this parasite. In addition, the hard drive is being accessed a little faster than once a second.

I killed it with the End Process button. Now the hard drive is quite.

Program		Mon		Wed
System Idle Process		34:42		59:28
FINDFAST.EXE		32:36		57:33
FINDFAST.EXE		0:00		0:00
System		0:42		1:14
TASKMGR.EXE		2:22		5:52
explorer.exe		0:46		1:39

This system currently has 64 Meg of memory and is using about 40 Meg. Imagine if I had only 32 Meg of RAM how much thrashing there would be.

Over several days of observation, 2 of which are shown above, the findfast CPU Time stayed approximately 2 hours behind the System Idle Process. I assume that this is approximately how long the system was on before findfast activated and that afterwards findfast consumed about 50% of the available CPU time.

• Office 97: How to Disable the Find Fast Indexer
• OFF2000: How to Turn Off the Find Fast Indexer

Apparently, this feature is implemented via Mosearch.exe and Mosdmn.exe, neither of which shows up in the task manager. As with findfast, don't just delete these files. Instead, follow the (very confusing) instructions provided in OFFXP: Hard Disk Runs Continuously After You Install Office XP (Q282106) to disable it. Unfortunately, this feature must be disabled for each installed Office XP application.

• Even after you have registered, some of these programs stay on your hard drive.
• Some of these parasites run every time you re-boot your computer.

Well behaved registration software should run only when you start the associated product. (This is how the standard shareware nag windows work. Irritating, but not a parasite.) In addition, it must remove itself from the hard drive when its task is completed.

When you eventually say that the product is registered, the registration program is not removed from your hard disk. In my opinion, this is completely unacceptable and supports my position that this program should be considered as a parasite.

    [windows]load=C:\BC5\PIPELINE\remind.exe 

• ZoneAlarm - free firewall to block and/or report both incomming and outgoing traffic. (But, apparently suspicious HTTP traffic is not detected.)
• OptOut provides a very complete definition of what SpyWare is and isn't. As a plus, Shields Up attempts to break into your computer (with your permission, of course) and reports your vulnerabilities.

It is loaded at boot time via

   HKLM\..\RunServices 

You know that you have a problem when you start to see files who's names start with fff, such as

   fffeeecf_{44BE8B61-235B-11D2-8E66-D59A4E66D32D}.tmp 

I see this as a border-line parasite. It is definitely a nuisance, and it is very badly behaved, but, perhaps it is useful.

This Microsoft reference states that the extra files accumulate in Windows 95 and 98, but not in NT 4.

Possible Spyware: RPCSS.EXE, mdm.exe provides additional information - specifically that multiple copies of mdm.exe will run concurrently.

I provide support for an application that uses VBScript, and AOL overwrites the VBSCRIPT.DLL file without asking or checking. Since it ALWAYS puts an old version there in place of the existing one, my apps STOP WORKING! We have advised all our users NOT to install AOL under ANY CONDITIONS. I HATE IT.

To quote another article by the same person, the following is presented as AOL's view

AOL's own tech support admits that--- oops!---installing AOL may make your system unable to connect to other ISPs, and that--- oops!--- your internet-sharing software (such as Win98's ICS) may no longer work. But these aren't bugs. It's the software installing itself in exactly the way AOL intends. You simply have to do things the AOL way, period.

Be careful!

Many people like RealAudio, it may even be good software. However,

• It hijacks many file extensions without asking or telling you
• It adds a significant number of entries to the registry, there by slowing down every task on your machine
• It automatically runs every time you boot your machine
• It uses about 30% of your cpu
• The old versions loaded the Comet Cursor parasite

If you configure it so that it does not run every time you start your machine (this requires hacking the registry), the next time you run the software it will reconfigure itself so that, once again, it automatically starts at boot.

scumware.com has nothing nice to say about the ScumLords that add advertising links to other peoples pages. (He refers to this as "traffic theft" and "pirated traffic".) This site even has javascript that "will tell you if your computer is infected with either the TopText or the Surf+ ScumWare infection".

Ad-Aware detects, and optionally removes, advertising programs that "call home" and exchange statistical data.

SpywareInfo - the name says it all.

URL: http:// mc-computing.com / Parasites / Parasites.html